Non-Kubernetes Container Scanning
Sysdig supports two types of container scanning:
- Kubernetes containers: The runtime scanner installed with the Sysdig agent scans for runtime vulnerabilities in Kubernetes workloads.
- Non-Kubernetes containers: To scan non-Kubernetes containers such as Docker, you can extend any of the three non-Kubernetes host scanning configurations, as described below.
Prerequisites
- Sysdig Secure SaaS, running the Vulnerability Management engine
- If you suspect you are on the old Scanning engine, see Which Scanning Engine to Use.
- Host Scanner v.0.7.0+
Supported Container Versions
- Docker Engine API Version v1.21 (introduced in Docker Engine 1.9.0) and above.
- Podman version 3.1+
Limitations
Risk Spotlight/In-Use and Reporting features are not yet supported for non-Kubernetes container scanning.
Installation Options
For more context on the core Host Scanner, review Host Scanning.
Install on a Host as a Container
Follow the steps in Install Agent Components| Hosts| Containers| Vulnerability Host Scanner, with these changes:
Add the following environment variables to the Docker command:
-e USE_COMBINED_SCANNER=true -e SCAN_CONTAINERS_ENABLED=true
Container scans will be shown within 30 minutes of installation. They are refreshed four times per day if new vulnerabilities are added to Sysdig’s vulnerability database.
By default, the host scanner attempts to connect to the following sockets:
- Docker Unix socket
/var/run/docker.sock
- Podman Unix socket
/var/run/podman.sock
Should you have a custom socket location, you can override it by:
- Docker Unix socket
(Optional) Set custom socket location with environment variables:
-e DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock -e PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock
Install as an RPM Package
Follow the steps in Install Agent Components| Hosts |Packages| Vulnerability Host Scanner |RPM-Based Operating System with these changes:
Complete steps 1 and 2.
In step 3, add the following to the configuration file:
# container scanning options USE_COMBINED_SCANNER=true SCAN_CONTAINERS_ENABLED=true # optional container scanning parameters. # Uncomment and provide them only if your docker / podman setup have a # different socket path # DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock # PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock
Install as a Binary Application
Follow the appropriate steps for your binary application situation, in Install Agent Components| Hosts |Packages| Vulnerability Host Scanner |Other Oses or Raw Binary.
Scan for Containers
You can scan for containers in addition to the host by running the sysdig-host-scanner
command with these additional parameters after SYSDIG_API_URL
:
USE_COMBINED_SCANNER=true
SCAN_CONTAINERS_ENABLED=true
Add Custom Sockets (Optional)
By default, the host scanner attempts to connect to the following sockets:
- Docker Unix socket
/var/run/docker.sock
- Podman Unix socket
/var/run/podman.sock
Should you have a custom socket location, you can override it by setting the following environment variables:
-e DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock
-e PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock
as follows:
SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> USE_COMBINED_SCANNER=true SCAN_CONTAINERS_ENABLED=true DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock ./sysdig-host-scanner
Environment File Option
Or if you are creating the environment file to store the configuration and a systemd unit
file to run the binary as a service, add the following to the /opt/draios/etc/vuln-host-scanner/env
section:
\# optional container scanning parameters.
\# Uncomment and provide them only if your docker / podman setup have a
\# different socket path
\# DOCKER_SOCKET_PATHS=unix:///var/run/docker.sock
\# PODMAN_SOCKET_PATHS=unix:///var/run/podman.sock
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.